Security. A couple of points I came across in the last couple of weeks. Some random ramblings really, how to make your Linux server (I myself am running CentOS 7.4 server) a bit more secure. There are way more elaborate posts on this blog, but every little bit counts.
Since this year I have a absolutely love and passion for everything that is Linux and security related. For the moment I absolutely ‘breath’ security. When I’m underway, in the shower, picking up groceries: I’m always thinking about how to make things more secure.
Wheel users and su
Only wheel users should be able to run su. You can make su a little bit more secure by restricting the privileges on the command itself. You’ll change the group on the command and give it proper privileges again. Note: before you do this, make sure your administrator is in the wheel group.
# chown :wheel /bin/su
# chmod 4750 /bin/su
Tools like rkhunter will complain about the new privileges, so you’ll have to exclude the file in the appropriate config.
Security Enhanced Linux
Running CentOS and Red Hat have the huge advantage of having SELinux installed, configured and running out of the box. SELinux is Mandatory Access Control which is an additional layer of security on top of Linux default Discretionary Access Control. One of my next posts will be an in depth one on SELinux but for now remember these points:
- SELinux should be enabled on your system, no matter what
- Every piece of software, manual or walk-though that dictates that your should disable SELinux, should be ignored and discarded
- Check your SELinux status with
- Enable SELinux with
# setenforce 1and in
World writable files and folders
Check out this command:
# find / -perm -0002 ! -type l -ls | wc -l
This will give you a huge number. All these files have world writable permissions set. So are they all a security hazard? Luckily: no. If everything is as it should, they all have the sticky bit set.
When there are files that ARE world writable and DO NOT have the sticky bit set, they ARE a problem. Check out if your filesystem is in danger.
# find / -xdev -type f \( -perm -0002 -a ! -perm -1000 \) -print
# find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
If you have any output, it’s probably not a good sign. Something is misconfigured and/or someone managing the system before you, fucked up. In any case, delete the files, give them appropriate permissions or the sticky bit with